Business transactions and affairs of individuals are increasingly being conducted over the Internet and the World-Wide Web (WWW). As a result, security and establishment of a user's legitimate identity within an electronic environment are vital to privacy concerns and to secure transaction processing.
Typically, identity is established via the use of some identifier for a user and some associated secret. This is commonly achieved via a user id (identifier) and a password (secret) combination. Some issues with this approach includes the fact that user ids and password can be easily stolen or compromised via derived information known about a particular user. For example, it is common for a user to establish a password based on some personal information concerning the user and readily acquired by others, such as birthdate, wedding anniversary date, Social Security Number (SSN), etc. Moreover, for any particular network-based service the user id and password combination must be unique at least with respect to that particular service.
Once a user id is stored and retained and/or the password (of even a hash of the password), this presents an opportunity for the id and password to be potentially compromised. Furthermore, often a user will transmit the id and password over the network, such that eavesdroppers can acquire it more readily. Yet, nearly every service and system uses some form of the id and password combination to establish a legitimate identity of a user.
Additionally, many times users can have tens of different services that they access resulting in a single id and password used for them all or different ids and passwords used for each of them or some combination of them. So, it is fairly common for users to forget a particular id and password combination for a service that is not regularly visited by the user. When this occurs, the service usually offers an automated means for the user to reset or reacquire his/her password. This presents still another security hole that intruders can take advantage of. For instance, an intruder can use a legitimate user's id for purposes of accessing an automated service's password reset or reacquisition features. Assuming the intruder can answer one or more simple questions, the intruder can have a password reset or acquire the legitimate user's password.
Some services may deploy biometrics, such as finger print scans, to avoid a number of the issues discussed above. The problem with this approach is that often the device reading a particular finger print may have some degree of error, such that there may be false positives or false negatives. As a result, biometric techniques have not yet been fully embraced in the industry.
Thus, improved and automated techniques are needed for establishing the identities of users in an electronic and networked environment.